North Korean Trojan: BANKSHOT

2017-12-21 • USCISA •

https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF

#YARA #HiddenCobra #Bankshot

Attachments

e5c0ca00ddcb691ad2d08f89e5e274661f6b3f0c.pdf (161 KB)

DHS and the FBI analyzed seven malicious Windows executables attributed to HIDDEN COBRA activity and identified them as BANKSHOT malware variants. Five samples function as proxy applications that mask operator traffic with a shared cipher, while two are RATs capable of running commands on infected systems. Two proxy variants can generate fake TLS handshake sessions using valid public SSL certificates, and one RAT uses OpenSSL-based encryption for C2 communications and may have installed proxy servers on compromised hosts. The report provides YARA detection logic and hashes for the analyzed files so defenders can hunt for proxy and RAT activity tied to North Korean government operations.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	9e4d9edb07c348b10863d89b6bb08141	2017-12-21	2023-05-02
HASH	65122e5129fc74d6b5ebafcc3376aba…	2017-12-21	2023-05-02
HASH	0137f688436c468d43b3e50878ec1a1f	2017-12-21	2020-07-22
YARA	Unauthorized_Proxy_Server_RAT	2017-12-21	2017-12-21
HASH	f4088bca25fd9ee78119458bfb30072…	2017-12-21	2017-12-21
HASH	4dfa17c0b8e612b8d4db9cea10b5a3d7	2017-12-21	2017-12-21
HASH	2de998d058c83ca559bc6a4b4b4d40b6	2017-12-21	2017-12-21
HASH	caef1f2015675da6b139275b4c7c86d3	2017-12-21	2017-12-21
HASH	6c330d24bbac0cdc751eb2033a2ab6c7	2017-12-21	2017-12-21
HASH	c3349c549162ffa3b8148d564efdfd0e	2017-12-21	2017-12-21
HASH	1ce8e90ffa2199ff32be8b977e9a441b	2017-12-21	2017-12-21
HASH	e385ce08c1c7b68edfc2150f3682b256	2017-12-21	2017-12-21
HASH	af9db3ed2605572e9897d7108630887…	2017-12-21	2017-12-21
HASH	f77d3025527d202bbe572f5791d038d3	2017-12-21	2017-12-21
HASH	51e2667d68017283e27efb2950932c58	2017-12-21	2017-12-21
HASH	03e0ab7f93b56899460fda790387d7c1	2017-12-21	2017-12-21
HASH	15e68b7d71ae9401600fbf50c1f37e66	2017-12-21	2017-12-21
HASH	fc9e40100d8dfae2df0f30a3414f50ec	2017-12-21	2017-12-21
HASH	771f7d69a476d5b0b7c942bdc21e866…	2017-12-21	2017-12-21
HASH	a5166df020ef131fd115707cf8e284ce	2017-12-21	2017-12-21
HASH	964b291ad9bafa471da3f80fb262dbe7	2017-12-21	2017-12-21
HASH	720f2fd596b0523ad6da7864337a3e3a	2017-12-21	2017-12-21
HASH	a679879146f59c7ba1b29ff42851a5ed	2017-12-21	2017-12-21
HASH	6e90fb74568b471c2699f72b7cae68dc	2017-12-21	2017-12-21
HASH	62a4ecd0721de04fc52f5fcef933ee44	2017-12-21	2017-12-21
HASH	114d8db4843748d79861b49343c8b7ca	2017-12-21	2017-12-21
HASH	d25e32c2f4c243f8b0fb537b73c6f07c	2017-12-21	2017-12-21
HASH	f4c5b7ebe0ffb8c5d5632877552f2e23	2017-12-21	2017-12-21
HASH	f0a1309490c5ee84dedc04b035c45cd0	2017-12-21	2017-12-21
HASH	aa336c62ce0214b5ffe1d41d93d6e99b	2017-12-21	2017-12-21
HASH	4aef9d49dc3fe0af76cecb93904875c0	2017-12-21	2017-12-21
HASH	bbf1ff28e84766ad27683cc9078d16f…	2017-12-21	2017-12-21
HASH	5271c65208ed70fad30077524f371ed8	2017-12-21	2017-12-21
HASH	3dfc4d44b2b523659f00d8945225bc60	2017-12-21	2017-12-21
HASH	ab32b3c672765e57e0892dc1f046728a	2017-12-21	2017-12-21
HASH	bc433c07b82c684a09d26e014c0cefdb	2017-12-21	2017-12-21
HASH	620f0b67a91f7f74151bc5be745b7110	2017-12-21	2017-12-21
HASH	fc14f0c7ff263b01c27ac84ff16072e6	2017-12-21	2017-12-21
HASH	d2cf27a072c85308a12b834aa3150af0	2017-12-21	2017-12-21
HASH	c74e289ad927e81d2a1a56bc73e394ab	2017-12-21	2017-12-21
HASH	941009d7534325e92b5a0183b05aec00	2017-12-21	2017-12-21
HASH	2950e3741d7af69e0ca0c5013abc4209	2017-12-21	2017-12-21
HASH	f5391c0baa8c69ab8fc159089099c8c4	2017-12-21	2017-12-21
HASH	0e0f176e5767c4f278df968c7364e815	2017-12-21	2017-12-21
HASH	350778fc552918dddf84ea3a4c956e9…	2017-12-21	2017-12-21
HASH	cfc3f97af184f52c091a175eda4587b8	2017-12-21	2017-12-21
HASH	566243e09a3d19828c243c799f638ae…	2017-12-21	2017-12-21
HASH	ceb5df2b67157dbc6b6aac93c8524f3d	2017-12-21	2017-12-21
HASH	1cfe81260eb717a1b917d7b3d1349851	2017-12-21	2017-12-21
HASH	5b8468fde2fdd44adf4eba4d955fa265	2017-12-21	2017-12-21
HASH	f82e3e0c1cadda61be2ed2885911bd3d	2017-12-21	2017-12-21
HASH	b94f8f257f9ebfb122acf253691a713e	2017-12-21	2017-12-21
HASH	324652d914c29aa7a7081d418add47dc	2017-12-21	2017-12-21